I am trying to perform a "for loop" splunk style, with two sources: source1 , source2. The searches right now looks like this:
1. source="source1" param1=value1 param2=value2 | stats values(token). I need the token for the next : 2. source="source2" param4="*" token
I tried ( but returns error: "Error in 'map': Did not find value for required attribute 'token":
source="source1" param1=value1 param2=value2 | stats values(token) | map maxsearches=10 search="search source="source2" param4="*" token=$token$ | stats values(param4) by token "
Where am I wrong, and is there a way to optimize this ?
I tried source1 OR source2, but then I need multiple OR ( AND ( OR))) clauses to match multiple needed parameters.
Thanks in advance,
The working solution looks like this (note, results may vary, depending on what fields you have extracted) :
index=common_index source=source2 param5 param4="*" [ search index=common_index source=source1 param1=value1 param2=value2 |stats values(token) as omg |rename omg as query ] | stats values(param4) by token
This thing returns results like so :
param4_value1 token1 param4_value2 token2 param4_value2 token3 etc.
martin_mueller, thanks one more time for helping 🙂
You're basically trying to use results from one search to filter the next? No problem with subsearches:
source="source2" param4="*" [search source="source1" param1=value1 param2=value2 | fields token | dedup token]
Open the job inspector to see the expression being returned by the subsearch, it'll be a huge ((OR))-behemoth.
The " [ inner search ] " returns the token alright , however it seems that the outer one doesn't understand the token provided ... I accepted your answer, as it seems the problem is related to my splunk instance 🙂
True, but your way doesn't seem to be working.
The way I tried to do it , search 1 would return a list or single token like so:
What search 2 does is, foreach tok_en* get logged error message. It seems I need more time